Answered by:
Windows showing up as not genuine, error 0x8004FE21

Question
-
We are having issues with a Dell Optiplex 3010, Windows 7 x64, SP1. Everything worked fine fresh out of the box, until I was installing our company's specific software. Office Standard 2010 installed just fine, as well as PDF Complete, .Net 2.0 Configuration Wizard (for outdated web-based software), Adobe Flash, Adobe Reader, and Java. The problem comes when installing Lync 2010 x64 (Volume Licensing). It installs just fine, but as soon as it does, the Security Center service stops working. It changes it from auto-start to disabled, with no errors in the event viewer. When I change it back to auto start, the service starts just fine, but it goes back to disabled within seconds.
After doing some research, I discovered that windows shows up as not valid anymore. Below is the MGADiag log. I've tried reinstalling everything from the built in Factory Image and the disk that came directly from Dell, but it breaks as soon as we install Lync. This is driving us nuts, and we have multiple Optiplex 3010 machines that are doing this. We've tried installing the latest Intel Rapid Storage drivers but that did not change. SFC /scannow says that there are integrity violations, but it isn't able to fix all of them. We are not concerned at all with data, as the user hasn't even received the machine yet. Any ideas? We haven't installed any antivirus yet on this machine, so as to avoid any conflicts.
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-M3DJT-4J3WC-733WD
Windows Product Key Hash: xo+ajVSpae7/4VoZjS7m6JL0f3A=
Windows Product ID: 00371-OEM-8992671-00524
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {6A7E27C4-92CC-42FE-8350-9A29C0FB8E64}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.130828-1532
TTS Error:
Validation Diagnostic:
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{6A7E27C4-92CC-42FE-8350-9A29C0FB8E64}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-733WD</PKey><PID>00371-OEM-8992671-00524</PID><PIDType>2</PIDType><SID>S-1-5-21-3633131514-3088875990-2249285217</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>OptiPlex 3010</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A11</Version><SMBIOSVersion major="2" minor="7"/><Date>20130916000000.000000+000</Date></BIOS><HWID>5A783607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>CBX3 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514
Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00178-926-700524-02-1033-7601.0000-3652013
Installation ID: 017644968056766821704982002783835304670331514004396214
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 733WD
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 1/2/2014 9:39:50 AM
Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x0000000000008001
Event Time Stamp: 12:31:2013 13:11
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\wat\watadminsvc.exe
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
HWID Data-->
HWID Hash Current: LAAAAAEAAgABAAEAAAABAAAAAQABAAEA6GH4yYYhpFl86TD0SJ7CtxyrlmM=
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL CBX3
FACP DELL CBX3
HPET DELL CBX3
MCFG DELL CBX3
FPDT DELL CBX3
ASF! INTEL HCG
SSDT SataRe SataTabl
SSDT SataRe SataTabl
SSDT SataRe SataTabl
DMAR INTEL SNB
SLIC DELL CBX3Thursday, January 2, 2014 8:47 PM
Answers
-
That's worrying.
Check any other affected machine - you may have a worm on the network that's got in under the radar somehow and is spreading nasties around :(
I'd also take this machine off the network, and run an offline security scanner on it - http://www.microsoft.com/security/scanner/en-gb/default.aspx is pretty good, or you can use your favoured one and create the boot disk on a known-clean machine.
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. - Marked as answer by James Dodin Friday, January 3, 2014 7:41 PM
Friday, January 3, 2014 6:32 PMModerator -
Hey Noel,
You hit the nail on the head. I had the issue a few weeks ago and resolved it by downloading a new copy of Lync 2010 from the Volume Licensing website. I went ahead and deleted the copy we had saved on our file server and replaced it with this one that I had just downloaded. A few days later, I came back and used the copy I had recently uploaded to the server, and had issues again. I figured that since it was a brand new copy, no way it would cause issues. We are in the process of combing through the server for viruses. Any hints on where we can look or the best way to do it? This is a file server that many people use, and although we haven't had any virus issues come up recently, we want to take care of this one as fast as possible.
- Marked as answer by James Dodin Friday, January 3, 2014 7:41 PM
Friday, January 3, 2014 7:33 PM
All replies
-
Please run a full CHKDSK and SFC scan....
Click on Start > All Programs > Accessories
Right-click on the Command Prompt entry
Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.
At the Command prompt, type
CHKDSK C: /R
and hit the Enter key.
You will be told that the drive is locked,
and the CHKDSK will run at he next boot - hit the Y key, press Enter, and then reboot.
The CHKDSK will take a few hours depending on the size of the drive, so be patient!
After the CHKDSK has run, Windows should boot normally (possibly after a second auto-reboot) -
then run the SFC.
SFC -System File Checker - Instructions
Click on Start > All Programs > Accessories
Right-click on the Command Prompt entry
Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.
At the Command prompt, type
SFC /SCANNOW
and hit the Enter key
Wait for the scan to finish - make a note of any error messages - and then reboot.
Copy the CBS.log file created (C:\Windows\Logs\CBS\CBS.log) to your desktop (you can't manipulate it directly) and then compress the copy and upload it to your SkyDrive Public folder (http://skydrive.live.com ) and post a link to it so that I can take a look.
Post a new MGADiag report with details of any error messages encountered.
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Thursday, January 2, 2014 9:08 PMModerator -
Hi Noel,
Thanks in advance for the help. I ran the chkdsk and didn't see any errors. When the SFC scan finished, it said that it found integrity violations and it couldn't fix all of them, so some of them would be fixed on a reboot. Here is the link for the CBS.log: https://skydrive.live.com/redir?resid=8A953BEC8992C1D0!2592&authkey=!AFIe9iZ-gPTFEuY&ithint=file%2c.log
Here is the WGADiag from after the chkdsk and sfc scannow.
Diagnostic Report (1.9.0027.0): ----------------------------------------- Windows Validation Data-->
Validation Code: 0x8004FE21 Cached Online Validation Code: 0x0 Windows Product Key: *****-*****-JHV4K-9VW9H-RFD9G Windows Product Key Hash: Exj6FPDM+80pRf+sv/UAbh+fhkU= Windows Product ID: 00371-OEM-9321904-93017 Windows Product ID Type: 8 Windows License Type: COA SLP Windows OS version: 6.1.7601.2.00010100.1.0.048 ID: {CC4EA63F-46BA-4A85-8633-2A8FB7AD65B7}(3) Is Admin: Yes TestCab: 0x0 LegitcheckControl ActiveX: N/A, hr = 0x80070002 Signed By: N/A, hr = 0x80070002 Product Name: Windows 7 Professional Architecture: 0x00000009 Build lab: 7601.win7sp1_gdr.130828-1532 TTS Error: Validation Diagnostic: Resolution Status: N/A
Vista WgaER Data--> ThreatID(s): N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002
Windows XP Notifications Data--> Cached Result: N/A, hr = 0x80070002 File Exists: No Version: N/A, hr = 0x80070002 WgaTray.exe Signed By: N/A, hr = 0x80070002 WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 OGAExec.exe Signed By: N/A, hr = 0x80070002 OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data--> Office Status: 109 N/A OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data--> File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
Other data--> Office Details: <GenuineResults><MachineData><UGUID>{CC4EA63F-46BA-4A85-8633-2A8FB7AD65B7}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-RFD9G</PKey><PID>00371-OEM-9321904-93017</PID><PIDType>8</PIDType><SID>S-1-5-21-3633131514-3088875990-2249285217</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>OptiPlex 3010</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A11</Version><SMBIOSVersion major="2" minor="7"/><Date>20130916000000.000000+000</Date></BIOS><HWID>5A783607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>CBX3 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
Spsys.log Content: 0x80070002
Licensing Data--> Software licensing service version: 6.1.7601.17514
Name: Windows(R) 7, Professional edition Description: Windows Operating System - Windows(R) 7, OEM_COA_SLP channel Activation ID: da22eadd-46dc-4056-a287-f5041c852470 Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f Extended PID: 00371-00186-219-093017-02-1033-7601.0000-0022014 Installation ID: 019934913150087910968895249246892974481846077525312055 Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338 Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339 Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341 Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340 Partial Product Key: RFD9G License Status: Initial grace period Time remaining: 39300 minute(s) (27 day(s)) Remaining Windows rearm count: 3 Trusted time: 1/3/2014 7:57:45 AM
Windows Activation Technologies--> HrOffline: 0x8004FE21 HrOnline: N/A HealthStatus: 0x0000000000000001 Event Time Stamp: 1:2:2014 20:31 ActiveX: Registered, Version: 7.1.7600.16395 Admin Service: Registered, Version: 7.1.7600.16395 HealthStatus Bitmask Output: Tampered File: %systemroot%\system32\wat\watadminsvc.exe
HWID Data--> HWID Hash Current: LAAAAAEAAgABAAEAAAABAAAAAQABAAEA6GH4yYYhpFl86TD0SJ7CtxyrlmM=
OEM Activation 1.0 Data--> N/A
OEM Activation 2.0 Data--> BIOS valid for OA 2.0: yes Windows marker version: 0x20001 OEMID and OEMTableID Consistent: yes BIOS Information: ACPI Table Name OEMID Value OEMTableID Value APIC DELL CBX3 FACP DELL CBX3 HPET DELL CBX3 MCFG DELL CBX3 FPDT DELL CBX3 ASF! INTEL HCG SSDT SataRe SataTabl SSDT SataRe SataTabl SSDT SataRe SataTabl DMAR INTEL SNB SLIC DELL CBX3Friday, January 3, 2014 2:02 PM -
Here's an extract from the summary report...
Line 17960: 2014-01-03 07:54:37, Info CSI 00000450 [SR] Repairing 19 (0x0000000000000013) components Line 17961: 2014-01-03 07:54:37, Info CSI 00000451 [SR] Beginning Verify and Repair transaction Line 17964: 2014-01-03 07:54:37, Info CSI 00000453 [SR] Cannot repair member file [l:14{7}]"alg.exe" of Microsoft-Windows-ALG, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 17967: 2014-01-03 07:54:38, Info CSI 00000455 [SR] Cannot repair member file [l:24{12}]"wbengine.exe" of Microsoft-Windows-BLB-Engine-Main, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 17970: 2014-01-03 07:54:38, Info CSI 00000457 [SR] Cannot repair member file [l:18{9}]"msdtc.exe" of Microsoft-Windows-COM-DTC-Runtime, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 17973: 2014-01-03 07:54:38, Info CSI 00000459 [SR] Cannot repair member file [l:22{11}]"dllhost.exe" of Microsoft-Windows-COM-Surrogate, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 17976: 2014-01-03 07:54:38, Info CSI 0000045b [SR] Cannot repair member file [l:22{11}]"ehsched.exe" of Microsoft-Windows-ehome-services-ehsched, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 17979: 2014-01-03 07:54:38, Info CSI 0000045d [SR] Cannot repair member file [l:20{10}]"FXSSVC.exe" of Microsoft-Windows-Fax-Service, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 17982: 2014-01-03 07:54:38, Info CSI 0000045f [SR] Cannot repair member file [l:24{12}]"iexplore.exe" of Microsoft-Windows-IE-InternetExplorer-Optional, Version = 8.0.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 17985: 2014-01-03 07:54:38, Info CSI 00000461 [SR] Cannot repair member file [l:22{11}]"msiexec.exe" of Microsoft-Windows-Installer-Executable, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 17988: 2014-01-03 07:54:38, Info CSI 00000463 [SR] Cannot repair member file [l:24{12}]"DVDMaker.exe" of Microsoft-Windows-OpticalMediaDisc-Wizard, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 17991: 2014-01-03 07:54:38, Info CSI 00000465 [SR] Cannot repair member file [l:26{13}]"UI0Detect.exe" of Microsoft-Windows-Session0Viewer, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 17994: 2014-01-03 07:54:38, Info CSI 00000467 [SR] Cannot repair member file [l:24{12}]"snmptrap.exe" of Microsoft-Windows-SNMP-Trap-Service, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 17997: 2014-01-03 07:54:38, Info CSI 00000469 [SR] Cannot repair member file [l:14{7}]"mip.exe" of Microsoft-Windows-TabletPC-MathInputPanel, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 18000: 2014-01-03 07:54:38, Info CSI 0000046b [SR] Cannot repair member file [l:36{18}]"ShapeCollector.exe" of Microsoft-Windows-TabletPC-InputPersonalization, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 18003: 2014-01-03 07:54:38, Info CSI 0000046d [SR] Cannot repair member file [l:48{24}]"InputPersonalization.exe" of Microsoft-Windows-TabletPC-InputPersonalization, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 18006: 2014-01-03 07:54:38, Info CSI 0000046f [SR] Cannot repair member file [l:38{19}]"ConvertInkStore.exe" of Microsoft-Windows-TabletPC-InputPersonalization, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 18009: 2014-01-03 07:54:38, Info CSI 00000471 [SR] Cannot repair member file [l:20{10}]"TabTip.exe" of Microsoft-Windows-TabletPC-InputPanel, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 18012: 2014-01-03 07:54:38, Info CSI 00000473 [SR] Cannot repair member file [l:18{9}]"VSSVC.exe" of Microsoft-Windows-VssService, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 18015: 2014-01-03 07:54:38, Info CSI 00000475 [SR] Cannot repair member file [l:14{7}]"vds.exe" of Microsoft-Windows-VirtualDiskService, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 18018: 2014-01-03 07:54:38, Info CSI 00000477 [SR] Cannot repair member file [l:24{12}]"WmiApSrv.exe" of Microsoft-Windows-WMI-Core, Version = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 18022: 2014-01-03 07:54:38, Info CSI 00000479 [SR] Cannot repair member file [l:24{12}]"mscorsvw.exe" of NetFx-MSCORSVW_EXE, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope neutral, PublicKeyToken = {l:8 b:b03f5f7f11d50a3a}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 18026: 2014-01-03 07:54:38, Info CSI 0000047b [SR] Cannot repair member file [l:24{12}]"mscorsvw.exe" of NetFx-MSCORSVW_EXE, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope neutral, PublicKeyToken = {l:8 b:b03f5f7f11d50a3a}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
I'll post a fix for the problems a bit later
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Friday, January 3, 2014 2:54 PMModerator -
I've uploaded a file - jdoaa.zip - to my SkyDrive at Noel's SkyDrive
Please download and save it.Right-click on the saved file and select Extract all...
Change the target to C:\ and click on Extract
Close all windows (it would be a good idea to print these instructions!)
Now reboot to the Repair Environment - as soon as the machine restarts, start tapping F8 - this should bring up the Advanced Boot Menu, at the top of which should be the option 'Repair my Computer'
Pick that
You'll have to log in with your username and password.Pick the option to use a Command Prompt
At the prompt type
DIR C:\jdoaa
hit the enter key - if you get a 'Not Found' error try
DIR D:\jdoaa
or
DIR E:\jdoaaThe drive letter in use when you find the folder will need to be substituted (for<drive>) into the following
command...XCOPY <drive>:\jdoaa <drive>:\windows\winsxs /y /i /s /v /h
(e.g. XCOPY P:\wfire P:\windows\winsxs /y /i /s /v /h )
run the command (it should take almost no time)and
when the prompt returns, type
EXIT
and hit the Enter key to exit Command Prompt - reboot to Normal Mode Windows.Now run SFC /SCANNOW in an Elevated Command Prompt
then reboot and upload the new CBS.log file to your SkyDrive Public folder, and post a new linkAlso run a new MGADiag report, and post the result.
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Friday, January 3, 2014 3:47 PMModerator -
Hi Noel,
Here is the link for the new CBS.log (same error that it found violations but couldn't repair them all):
https://skydrive.live.com/redir?resid=8A953BEC8992C1D0!2593&authkey=!AOxzyEd1TLrsoYA&ithint=file%2c.log
Here is a new MGADiag:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-M3DJT-4J3WC-733WD
Windows Product Key Hash: xo+ajVSpae7/4VoZjS7m6JL0f3A=
Windows Product ID: 00371-OEM-8992671-00524
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {C8E5BCB9-9B2B-4E5C-BAB7-A221828DD5DB}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.130828-1532
TTS Error:
Validation Diagnostic:
Resolution Status: N/AVista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: AllowedFile Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{C8E5BCB9-9B2B-4E5C-BAB7-A221828DD5DB}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-733WD</PKey><PID>00371-OEM-8992671-00524</PID><PIDType>2</PIDType><SID>S-1-5-21-3633131514-3088875990-2249285217</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>OptiPlex 3010</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A11</Version><SMBIOSVersion major="2" minor="7"/><Date>20130916000000.000000+000</Date></BIOS><HWID>5A783607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>CBX3 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00178-926-700524-02-1033-7601.0000-0032014
Installation ID: 017644968056766821704982002783835304670331514004396214
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 733WD
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 1/3/2014 10:25:41 AMWindows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x0000000000008001
Event Time Stamp: 1:2:2014 20:31
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\wat\watadminsvc.exe
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
HWID Data-->
HWID Hash Current: LAAAAAEAAgABAAEAAAABAAAAAQABAAEA6GH4yYYhpFl86TD0SJ7CtxyrlmM=OEM Activation 1.0 Data-->
N/AOEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL CBX3
FACP DELL CBX3
HPET DELL CBX3
MCFG DELL CBX3
FPDT DELL CBX3
ASF! INTEL HCG
SSDT SataRe SataTabl
SSDT SataRe SataTabl
SSDT SataRe SataTabl
DMAR INTEL SNB
SLIC DELL CBX3Friday, January 3, 2014 4:31 PM -
This is very strange - none of the errors has been fixed, and another 16 have crept in!
Please check the results of your CHKDSK....
Open Event Viewer
In the Left pane, navigate to the Windows Logs > Applications
in the right pane, click on 'Filter current log'
click n the down-arrow at the end of the 'Event Sources' box, and out a tick beside 'Wininit'
click OK
the latest event there should be your CHKDSK result - if not , then find it :)
double-click on the entry, then click the Copy button in the popup window, and paste the results into your response.
The next most likely explanation is malware....
Please download and install Malwarebytes Anti-malware (free version) from http://www.malwarebytes.org/products/malwarebytes_free/ - UNtick 'Enable free trial of MBAM PRO' at the end of the installation - and update it, then run a full scan in your main account, and Quick scans in any other user accounts.
Delete everything it finds
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Friday, January 3, 2014 5:07 PMModerator -
Hey Noel,
Here is the event viewer:
Checking file system on C:
The type of the file system is NTFS.
A disk check has been scheduled.
Windows will now check the disk.
CHKDSK is verifying files (stage 1 of 5)...
117248 file records processed. File verification completed.
134 large file records processed. 0 bad file records processed. 2 EA records processed. 44 reparse records processed. CHKDSK is verifying indexes (stage 2 of 5)...
155812 index entries processed. Index verification completed.
0 unindexed files scanned. 0 unindexed files recovered. CHKDSK is verifying security descriptors (stage 3 of 5)...
117248 file SDs/SIDs processed. Cleaning up 239 unused index entries from index $SII of file 0x9.
Cleaning up 239 unused index entries from index $SDH of file 0x9.
Cleaning up 239 unused security descriptors.
Security descriptor verification completed.
19283 data files processed. CHKDSK is verifying Usn Journal...
33708592 USN bytes processed. Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
117232 files processed. File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
112986438 free clusters processed. Free space verification is complete.
Windows has checked the file system and found no problems.
488282111 KB total disk space.
36034320 KB in 96120 files.
70320 KB in 19284 indexes.
0 KB in bad sectors.
231715 KB in use by the system.
65536 KB occupied by the log file.
451945756 KB available on disk.
4096 bytes in each allocation unit.
122070527 total allocation units on disk.
112986439 allocation units available on disk.
Internal Info:
00 ca 01 00 d7 c2 01 00 ab 78 03 00 00 00 00 00 .........x......
77 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 w...,...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Windows has finished checking your disk.
Please wait while your computer restarts.
I'll go ahead and install malwarebytes and run, but I'm not sure where the malware came from. I'm getting these errors on multiple machines with a brand new install from the Dell disk. Tried it from an ISO on the volume license website, and it all comes back to the same thing. Everything works fine until we install Lync, which immediately causes the genuine error and the security center service stops. I should note that when Lync installs, it also installs C++ Redistributable x64 and x86 9.0.30729.4148. Once the install finishes for Lync, everything breaks. Before that, everything runs perfectly.Friday, January 3, 2014 5:23 PM -
Bizarre, MBAM actually found a few issues. Here is a copy of the log file (I removed everything):
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.orgDatabase version: v2014.01.03.05
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Waident :: CF-KCSPARE1 [administrator]1/3/2014 11:38:18 AM
mbam-log-2014-01-03 (11-38-18).txtScan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 318368
Time elapsed: 15 minute(s), 58 second(s)Memory Processes Detected: 1
C:\Windows\System32\SEARCHINDEXER.EXE (Trojan.FakeMS) -> 292 -> Delete on reboot.Memory Modules Detected: 0
(No malicious items detected)Registry Keys Detected: 2
HKLM\SYSTEM\CurrentControlSet\Services\WSearch (Trojan.FakeMS) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOXMLED.EXE (Trojan.FakeMS) -> Quarantined and deleted successfully.Registry Values Detected: 0
(No malicious items detected)Registry Data Items Detected: 1
HKLM\SYSTEM\CurrentControlSet\SERVICES\COMSYSAPP|Type (Hijack.Comsysapp) -> Bad: (272) Good: (16) -> Quarantined and repaired successfully.Folders Detected: 0
(No malicious items detected)Files Detected: 9
C:\Windows\System32\SEARCHINDEXER.EXE (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\jdoaa\amd64_microsoft-windows-alg_31bf3856ad364e35_6.1.7600.16385_none_04de43c774cf8fe3\alg.exe (Malware.Gen) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\winsxs\amd64_microsoft-windows-alg_31bf3856ad364e35_6.1.7600.16385_none_04de43c774cf8fe3\alg.exe (Malware.Gen) -> Quarantined and deleted successfully.
C:\Windows\winsxs\wow64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_6.1.7601.17514_none_7a09c587c282995a\TabTip32.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\winsxs\wow64_windowssearchengine_31bf3856ad364e35_7.0.7601.17610_none_dbd0d3376679543d\SearchIndexer.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.(end)
Here is the MGADiag afterwards (one file is no longer showing as mismatched):
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-M3DJT-4J3WC-733WD
Windows Product Key Hash: xo+ajVSpae7/4VoZjS7m6JL0f3A=
Windows Product ID: 00371-OEM-8992671-00524
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {C8E5BCB9-9B2B-4E5C-BAB7-A221828DD5DB}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.130828-1532
TTS Error:
Validation Diagnostic:
Resolution Status: N/AVista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: AllowedFile Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{C8E5BCB9-9B2B-4E5C-BAB7-A221828DD5DB}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-733WD</PKey><PID>00371-OEM-8992671-00524</PID><PIDType>2</PIDType><SID>S-1-5-21-3633131514-3088875990-2249285217</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>OptiPlex 3010</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A11</Version><SMBIOSVersion major="2" minor="7"/><Date>20130916000000.000000+000</Date></BIOS><HWID>5A783607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>CBX3 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00178-926-700524-02-1033-7601.0000-0032014
Installation ID: 017644968056766821704982002783835304670331514004396214
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 733WD
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 1/3/2014 12:00:33 PMWindows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x0000000000000001
Event Time Stamp: 1:2:2014 20:31
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\wat\watadminsvc.exe
HWID Data-->
HWID Hash Current: LAAAAAEAAgABAAEAAAABAAAAAQABAAEA6GH4yYYhpFl86TD0SJ7CtxyrlmM=OEM Activation 1.0 Data-->
N/AOEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL CBX3
FACP DELL CBX3
HPET DELL CBX3
MCFG DELL CBX3
FPDT DELL CBX3
ASF! INTEL HCG
SSDT SataRe SataTabl
SSDT SataRe SataTabl
SSDT SataRe SataTabl
DMAR INTEL SNB
SLIC DELL CBX3Friday, January 3, 2014 6:03 PM -
That's worrying.
Check any other affected machine - you may have a worm on the network that's got in under the radar somehow and is spreading nasties around :(
I'd also take this machine off the network, and run an offline security scanner on it - http://www.microsoft.com/security/scanner/en-gb/default.aspx is pretty good, or you can use your favoured one and create the boot disk on a known-clean machine.
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. - Marked as answer by James Dodin Friday, January 3, 2014 7:41 PM
Friday, January 3, 2014 6:32 PMModerator -
Hey Noel,
You hit the nail on the head. I had the issue a few weeks ago and resolved it by downloading a new copy of Lync 2010 from the Volume Licensing website. I went ahead and deleted the copy we had saved on our file server and replaced it with this one that I had just downloaded. A few days later, I came back and used the copy I had recently uploaded to the server, and had issues again. I figured that since it was a brand new copy, no way it would cause issues. We are in the process of combing through the server for viruses. Any hints on where we can look or the best way to do it? This is a file server that many people use, and although we haven't had any virus issues come up recently, we want to take care of this one as fast as possible.
- Marked as answer by James Dodin Friday, January 3, 2014 7:41 PM
Friday, January 3, 2014 7:33 PM -
I'm afraid that my knowledge of malware is way too outdated to be of any real use - I was at one time fairly proficient (back in 2005/6/7) but I'm way behind the curve currently.
If it was me, then I'd flatten and rebuild this machine from the ground up - in quarantine.
Once all required applications and security software are in place, and ONLY then, I'd bring back the data, after a remote scan with at least two different AV's (and MBAM!).
I do realise that this sort of timescale may be difficult - but then it should avoid having to do it two or three times!
If you want some really expert advice, you need to go to specialist malware forums such as www.bleepingcomputer.com and others.
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. Friday, January 3, 2014 11:25 PMModerator